Upload
duongque
View
217
Download
0
Embed Size (px)
Citation preview
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
1
White Paper
PaperPape
r
Edge Technologies 1881 Campus Commons Drive
Suite 101 Reston, VA 20191
T 703.691.7900 F 703.691.4020
888.771.EDGE
enPortal®
OSS/BSS Integration Platform
Technical
Overview
April 2016
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
2
Table of Contents Overview ....................................................................................................................... 4
Core Features and Capabilities ......................................................................... 6
Integration .............................................................................................................. 6
COTS-Based Product Integration Modules (PIMs) ........................ 6
PIM Failover and Traffic Management ................................................ 7
Content Retrieval ............................................................................................ 7
Application Hardening: Real-time Content Filtering and Modification ...................................................................................................... 8
Custom Integrations ..................................................................................... 9
Advanced Security ........................................................................................... 10
Attack Prevention ....................................................................................... 10
Password Management Policies .......................................................... 10
Access Control List Rules ......................................................................... 11
SSL Communications Support ............................................................... 11
Proxy Technology ........................................................................................ 11
Firewall Support .......................................................................................... 12
Protection of Private Networks and Application Assets ......... 12
User Management ............................................................................................ 13
Single Sign-On ................................................................................................ 13
Provisioning of Single Sign-On Tokens ............................................ 14
Single Sign-Out .............................................................................................. 14
Kerberos ........................................................................................................... 14
Authentication and Login Processing ............................................... 15
External User Authentication ............................................................... 15
CAC/PKI ............................................................................................................ 16
CA Single Sign-On (formerly CA SiteMinder) ................................ 16
Customer Portal to enPortal Authentication Mapping ............ 17
Two-factor Authentication Systems .................................................. 17
Web Access Management ........................................................................ 18
Custom Authentication ............................................................................. 18
IP Address and Session Limiting ......................................................... 18
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
3
Branding and Customization ..................................................................... 19
Executive Views................................................................................................. 20
enPortal Deployment Models ......................................................................... 23
Deployment Model 1: For Internal Users ............................................ 23
Deployment Model 2a: For External Users or Customers with Multi-Tenancy .................................................................................................... 24
Deployment Model 2b: In Your Existing External Portal ............ 25
Customer Example ...................................................................................... 26
Architecture ............................................................................................................. 27
Design Architecture ........................................................................................ 27
Scalability, Clustering, and Failover ....................................................... 27
Basic Deployment ........................................................................................ 28
High Availability (Failover) ................................................................... 28
Optimized Performance with Failover (Clustering) ................. 28
Running in Modern Environments ......................................................... 29
Virtualized Networks (VMware) ......................................................... 29
IPv6 Network ................................................................................................. 29
Through an Existing Proxy Server ...................................................... 29
Remote Application Delivery ................................................................ 30
Software Component Architecture ......................................................... 30
Request Engine ............................................................................................. 31
Business Logic Engine ............................................................................... 31
Integration Engine ...................................................................................... 31
Web Application Proxy and Content Filtering ............................. 32
Object Database ............................................................................................ 32
About Edge Technologies, Inc. ....................................................................... 33
Appendix A: enPortal Product Integrations ........................................... 34
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
4
Overview
Integration is no longer just a nice-to-have – it has become a must-have in commercial
and government environments around the globe.
Managers of modern companies face many challenges for providing the necessary
information and tools to their users:
Too Much Information: End-users are presented an overwhelming amount of
data. It is difficult to find the relevant data and assess the impact of issues from a
business perspective.
Numerous OSS/BSS Tools: When working with Operations Support Systems or
Business Support Systems, each tool has its own URL, login, interface, product
terminology, and unique training requirements. There is often limited native
interoperability between all of these tools.
Complexity: Users need to use data collected by monitoring tools, but want to be
shielded from the complexity of the underlying technologies.
Security and Compliance: Customers need direct, real-time access to many tools
across the network, while the security of the network is maintained.
This white paper details how the patented technology of Edge Technologies’ enPortal®
tackles all of the above challenges. enPortal provides solutions to the integrator with
elements that are critical for any deployment, including:
Time: Rapid integration of existing products from multiple vendors.
Standardization: Integration of information provided by various applications into a
single cohesive, branded display.
Flexibility: An integration platform that creates interoperability between disparate
tools, and can be rapidly adapted to meet unknown future requirements.
Convenience: A single, secure access point for all tools, with minimal disruption to
end-users when applications are replaced or upgraded.
Scalability: Support for large numbers of concurrent users without impacting
system performance.
This is why, since its release in 2000, enPortal has been a valuable tool for a diverse set
of customers, including Telecommunications companies, Managed Service Providers,
large banks, manufacturing companies, federal agencies, the U.S. Department of
Defense, foreign militaries, and other global corporations.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
5
"The implementation has been very successful and has allowed us, in a very short
period of time, to reach our primary objectives: Secure revenue assurance and
improved Quality of Service perceived by end customers. We have achieved savings
by means of providing automated reports and proactive management of incidents for
clients avoiding SLA penalties and economic loss for the company.” - Vicente Espinaza,
Project Manager and Senior Engineer for Telefonica
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
6
Core Features and Capabilities
The core software components of enPortal combine to provide advanced capabilities
and significant benefits – many of which are unique to enPortal and not possible
through other products. enPortal offers a vast array of features and functions. The core
features/capabilities of enPortal include:
Integration of existing web-based tools and applications
Advanced Security
Single Sign-On
Integration with external user authentication systems
Branding and Customization
Dashboard Views
Multi-tenancy
Scalability
Integration
To get the most from an integration platform, customers need the ability to integrate
new content elements quickly and securely. Customers also need the ability to enable
partners and other third parties to organize application services, multi-media streams,
and web-based utilities into any number of user or role-specific views – without
complex software development.
To meet the challenge of integrating, controlling, protecting, and multiplexing fully
interactive back-end applications and content into a virtual desktop, over private and
public networks, Edge developed the patented Content Retrieval System (CRS).
COTS-Based Product Integration Modules (PIMs)
A distinct advantage of enPortal is rapid deployment, made possible by enPortal’s
prepackaged PIMs. enPortal PIMs provide plug-and-play Commercial Off-The-Shelf
(COTS)-based integration of products from BMC, CA, Cisco, EMC, HP, InfoVista, IBM,
Oracle, SevOne, VMware, and many more.
PIMs offer immediate value to an organization that has made existing investments in
these applications. Interfaces from multiple applications can be presented side-by-side
in the enPortal display to the user.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
7
PIMs are essentially XML definitions that define how enPortal will integrate the third-
party products and applications into content Channels and Views. To integrate a new
application with enPortal using a PIM, an administrator specifies the IP address, web
server port, and configuration information for a live application. enPortal then
automatically creates content Channels for the third-party application for immediate
incorporation into an enPortal page.
A list of web-based products for which Edge offers PIMs is available in Appendix A:
enPortal Product Integrations.
enPortal also provides integration of applications that are not web-based and which
cannot typically be integrated into other portals. Integration with non-web application
GUIs is via an integration module to remote access tools that enable non-web or thick-
client applications to be accessed from any Java-enabled web browser.
PIM Failover and Traffic Management
The PIM Failover option configures enPortal to connect to more than one instance of an
integrated application. If there is a failure of the primary application server, the
enPortal PIM will “failover” to the backup instance of the application, providing
uninterrupted access to the application by enPortal users.
The Round-Robin option can also be enabled, which will direct users to alternate
between accessing different instances of an integrated application. This spreads the
load across the multiple back-end application servers and allows a large number of
concurrent users of the proxied tool.
Content Retrieval
An integral part of enPortal, the CRS patented technology detects, modifies, stores, and
disseminates information being retrieved from the web applications integrated through
the enPortal framework. The CRS is designed to incorporate any number of fully
interactive dynamic applications into a single cohesive view. From an administrative
perspective, CRS manages user access and control to fully interactive applications and
web content based on user, domain, and role.
CRS also provides for the multiplexing of disparate external HTTP(S) communication
streams over a single HTTP(S) port to the web browser by:
Supporting remote access to an unlimited number of fully interactive
applications through firewalls and multi-layer DMZ environments utilizing
network address translation – regardless of the application’s IP address or port
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
8
number – for transport over public networks
Supporting the ability to conceal IP addresses and port numbers to applications,
web resources and their network elements, thereby protecting the operational
network and corporate applications
Application Hardening: Real-time Content Filtering and Modification
Most companies have well-known policies in place for hardening or securing their
servers, VMs, and Operating Systems, and to look for vulnerabilities that are common
to web applications. Application and web UI hardening is a natural extension of these
critical requirements. For Managed Service Providers and IT organizations that act as
service providers, this is an essential element in delivering customer-facing views of
third-party tools safely and securely.
Only Edge Technologies, with enPortal’s HTML content filtering and modification
capabilities, can effectively harden or secure most web-based applications by
controlling which features of an application’s user interface are dynamically filtered or
modified before presentation to the user. Additionally, applications may be modified
to "behave properly" within the browser (e.g. remove pop-up windows).
Examples of content filtering, modification, and addressing potential security risks for
proxied applications often include:
Locking down access to specific URLs
Obfuscating URLs
Removing available buttons and links on web pages
Modifying menu options or labels
Removing breadcrumb trails from headers or URLs
Hiding or replacing logos
Preventing script execution that may pose a threat, e.g. cross-site scripting (XSS)
In this real-world example, the customer needed to harden the application by removing
several elements from the native user interface.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
9
Figure 1: The original content of the user interface
enPortal CRS rules are used to secure the application by dynamically removing the
customer-specified links and associated functionality.
Figure 2: The hardened application UI
Custom Integrations
The content retrieval and modification capabilities of the CRS are what enable Edge and
its customers to write custom integration modules. These modules extend the same
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
10
features of Edge’s COTS-based PIMs to all of your custom applications. These custom
integrations can also include applications that would not integrate into most standard
portals – such as Java applets or non-standard web applications.
The tools for building and testing these integrations are provided in the Integration
Manager, which resides in the enPortal administration UI.
Advanced Security
enPortal has a strong security model with powerful features to restrict access to
content based on domain, role (group), and/or user. enPortal also provides a
combination of firewall infrastructure support, port mapping, content filtering, and a
sophisticated security manager.
Enhanced security features include multiple N-Factor authentication methods, secure
communications channels, security policies, directory services support, and more – as
detailed in the following sections.
Attack Prevention
enPortal provides comprehensive protection against cross-site scripting attacks. All
aspects of the HTTP communication are tested by the proxy, including requests,
headers, and body. Captured attacks display HTTP 500 responses and are detailed in
the system log files for investigation. Updates to the output encoding scheme are also
implemented to improve system efficiency and to eliminate cross-site scripting attacks.
The default behavior is to deny requests that contain malicious characters if the page
that initiated the request is not from the enPortal server.
Password Management Policies
The security of the system is enhanced by the ability to define password management
policies for users’ passwords. The following types of policies can be instituted:
Specifying a password lifetime, which forces users to change passwords
Syntax polices, to avoid the use of predictable passwords
Account lockout upon consecutive failed login attempts
When integration of third-party authentication tools (such as LDAP) is used for user
management, enPortal will also cooperatively sync with any password policies in effect
on the associated server.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
11
Access Control List Rules
enPortal enables Administrators to create "allow" and "deny" rules that can be
enforced from the global and/or Channel-specific level. For example, these rules can
prevent users from accessing specific URLs.
SSL Communications Support
Communications between enPortal clients and the enPortal server can be secured using
HTTPS (HTTP over SSL). This protects the communications streams as they pass through
the public Internet. enPortal’s Tomcat web server provides the HTTPS support, and the
configuration rules to enable this are delivered with the stock configuration files.
The enPortal server can also communicate with external HTTPS web servers. This
typically occurs within the web resource proxy (discussed below) and is dictated by the
protocol field of the URL that the Proxy has been directed to retrieve.
Proxy Technology
A key component, and differentiator, of enPortal is its proxy technology. enPortal’s bi-
directional proxy technology provides protected access to fully interactive applications
over public and private networks. It works by allowing access to specifically identified
back-end web applications and content to authorized enPortal users. Of significant
importance, enPortal’s web resource proxy does not require installation of additional
software on the servers being proxied.
Figure 3a: Secure data access in enPortal
Figure 3b: Un-proxied data access in typical portal
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
12
The figures above illustrate two communications methods by which various portal
systems interact with, and render, fully interactive applications to the user. The
“enPortal” example (Figure 3a: Secure data access in enPortal) illustrates data flow
between applications and client browsers through the enPortal web resource proxy
technology. The “Typical Portal” example (Figure 3b: Un-proxied data access in typical
portal) illustrates data flow between applications and client browsers within other
portal frameworks.
Note that in a typical portal system, direct communication is required between the
browser and the external application. In these systems, the login page, initial portal
page, and wrapper-based pages are requested directly from the portal server.
However, when the user begins interacting with an embedded application, the browser
begins communicating directly to the external application.
The enPortal system, on the other hand, uses a web resource proxy approach to
provide controlled access to fully interactive web applications. The web resource proxy
approach allows the web browser to communicate entirely with the enPortal server for
all interaction with the external web applications. Yet enPortal seamlessly handles all
interaction as if the browser were communicating directly with the application. The
enPortal solution provides a higher level of security, because end-users never directly
connect to the back-end proxied servers.
Firewall Support
The enPortal web resource proxy provides users with a single access point - exactly one
HTTP(S) port - to all integrated HTTP(S)-based applications. enPortal content retrieval
allows all HTTP(S)-based content and applications to be accessed through a single
socket connection within a network DMZ, network address translation (NAT), and
firewall environment.
Referring again to Figures 3a and 3b, the enPortal solution (Figure 3a: Secure data
access in enPortal) only requires a single firewall rule to allow access from the user’s
browser to enPortal. The “typical portal” solution (Figure 3b: Un-proxied data access in
Typical Portal) requires additional holes in the firewall between the user and each
integrated application.
Protection of Private Networks and Application Assets
The protection and concealment of back-end applications and network assets are of
critical concern to organizations that must provide application access to users and
customers over a public network. enPortal allows multiple dynamic HTTP(S)-based
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
13
applications to be integrated into the enPortal framework, concealed, and pushed
through a DMZ environment for presentation to external users on a public network.
The web resource proxy does not allow clients to directly connect to these resources.
Additionally, external entities have no knowledge of applications’ addresses, port
numbers or operational networks. The enPortal proxy provides an additional layer of
protection between internal resources and external users.
User Management
A key component of any integration platform is managing the accounts and credentials
for users in each of the underlying systems. enPortal provides a suite of tools that
allow the administrator to either create and manage new users, or to leverage the
users and accounts that are already in place in your organization.
Single Sign-On
Out of the box, Single Sign-On is a feature of enPortal where all of a user's credentials
to multiple applications are securely stored by enPortal. This allows users to access and
display information from back-end applications without having to manually log in to
each of these applications. Once a user logs into enPortal, no other credentials are
required from that user. Using enPortal’s pre-built PIMs, this capability is provided
with no custom software development or modification to back-end applications.
Figure 4: Single Sign-On accesses all integrated applications with a single login
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
14
An additional benefit of enPortal’s Single Sign-On is that a single account for a back-end
application can be shared across and entire group of users if desired. This allows the
application administrator to configure access options for many users through a single
account and also limits the number of named user accounts that are needed in the
application. A Group membership attribute in LDAP can be leveraged for this purpose,
so that no special group configuration needs to be implemented by the enPortal
administrator.
The enPortal Single Sign-On feature supports the integration of various security and
authentication schemes presented by existing applications. This capability is
implemented through a component called the Login Proxy Service (LPS) that handles all
authentication interactions between the user and third-party services.
Because many applications have unique or proprietary mechanisms, web-based Single Sign-
On can be difficult for other portal solutions to standardize into a solution that fits in all
cases. Each single login implementation for an application is a unique integration with its
own distinct interface. However, while the method of presentation can vary, most
methods of authentication use the HTTP protocol to submit credentials and maintain
authentication. The powerful enPortal CRS engine allows Single Sign-On to be rapidly
configured for virtually any application.
Provisioning of Single Sign-On Tokens
If the integrated backend applications and enPortal are tied to a common external user
authentication system, SSO tokens can be configured to simply pass user credentials to the
backend applications. If a user enters his credentials and there is no matching SSO token
stored for that user and that backend application, the credentials are no longer valid and
the user will be re-prompted for their credentials.
Single Sign-Out
When a user logs out of enPortal, Single Sign-Out automatically logs the user out of all
integrated applications with open sessions. This provides additional security and
performance by limiting the number of open sessions. It also can lower costs and
eliminate lockouts by reducing the number of concurrent licenses that are needed for
the integrated applications.
Kerberos
enPortal currently supports Kerberos-controlled SSO access to proxied applications.
Kerberos authentication differs from basic HTTP, NTLM-based, and application (PIM)
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
15
specific authentication in that enPortal needs to communicate with both the proxied
web application and the Kerberos authentication server.
Kerberos also requires an additional configuration file that contains details about the
authentication domain and servers. The Kerberos Configuration page in the Edge
online documentation provides additional information. Edge does not currently
support Kerberos as the authentication mechanism to login to enPortal itself.
Authentication and Login Processing
enPortal provides a complete UI and embedded database for internally managing
domains, users, and roles. However, some organizations already have one or more
LDAP servers in place to manage this information. This enables the organization to
store all user information and credentials in one centralized location. In this case,
enPortal can simply map to the existing LDAP configuration and rely on LDAP for
externally managing this information. Typical LDAP repositories supported by enPortal
include Active Directory and OpenLDAP, but others are also supported.
Figure 5: Delegated user management with LDAP
enPortal provides a full toolset for mapping LDAP groups to enPortal roles, enforcing
password policies, and keeping user credentials in sync between the LDAP server and
enPortal.
External User Authentication
enPortal supports several common authentication tools that are already in use by many
customers. This allows enPortal to rapidly integrate with an existing login management
infrastructure.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
16
CAC/PKI
Common Access Card (CAC) is a two-factor authentication mechanism used by certain
organizations, including the United States Department of Defense. This allows Single
Sign-On integration with the desktop authentication via a Client Certificate, a feature of
Public Key Infrastructure (PKI). Use of this module requires that the desktop operating
system and web browser are configured with the necessary hardware and middleware
to support the physical CAC token and associated protocols. This module can be
adapted to other single- and two-factor authentication mechanisms that present a
Client Certificate to web applications.
CA Single Sign-On (formerly CA SiteMinder)
To facilitate enPortal integration with CA Single Sign-On, CA’s Web Agent must be
installed at enPortal’s access point. A common implementation is to have an Apache
version of the Web Agent installed on an Apache HTTP Server which is then configured
as a reverse proxy to enPortal.
When a user accesses enPortal via the Apache server, the CA Web Agent will check to
see if the user has been authenticated for enPortal access. If not, it will forward to
request to the CA Single Sign-On instance which then prompts the user with the CA
login page. Once a user authenticates successfully through CA Single Sign-On, all the
subsequent enPortal access requests will be granted.
In this deployment scenario, enPortal is configured in Trusted Authentication mode so
there is no authentication required for enPortal’s login request. However, enPortal also
supports an on-demand, or “lazy load,” to allow role assignment in which case enPortal
will then communicate with the LDAP server with which CA Single Sign-On is also
communicating.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
17
Figure 6: enPortal deployed with CA Single Sign-On
Customer Portal to enPortal Authentication Mapping
Similar to the CA Single Sign-On deployment described above, in this scenario there is
another portal already in place that provides a reverse proxy capability. The external
customer or end-user is required to access this other system first which in-turn picks up
a token that is sent in response to the initial request to enPortal. If enPortal does not
detect that the request has a valid session, it will look for the access token and then
respond back to that other system to:
a) Validate the token
b) Make a request for user information from the other portal
c) Check to see if the user exists and if not, perform on-demand user creation
d) Create the session
Two-factor Authentication Systems
Two-factor authentication (2FA), adds a second level of authentication to a basic login
procedure requiring that the user provide additional credentials in order to access
secured resources. Examples of 2FA include Google Authenticator, RSA SecurID tokens,
and CAC. enPortal provides the means to satisfy security requirements by providing a
single, secure access point to backend applications through enhanced authentication.
One possible scenario illustrating the integration of enPortal with 2FA is as follows:
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
18
An administrator has configured their system to require 'clientAuth', meaning that the
Secure Sockets Layer (SSL) connection requires a valid certificate chain from the client.
The enPortal server will send the chain to an Online Certificate Status Protocol (OCSP)
Responder to validate the certificate. It may also look up the user name information in
the certificate and additionally request a valid password. This password has typically
been validated against an LDAP server which in turn may perform an on-demand, or
“lazy load,” of the user and any role assignments before a valid session is created.
Web Access Management
Web Access Management (WAM) tools have become more commonly used in recent
years. These tools include CA Single Sign-On (formerly SIteMinder), Oracle Access
Manager, and Novell Access Manager. The WAM tool provides authentication
management, policy-based authorizations, and reporting services. By having the
capability to quickly integrate with these tools, enPortal allows an organization to
continue using these tools for authentication while implementing all of the integration
and proxying capabilities provided by enPortal.
Custom Authentication
The powerful enPortal CRS provides the capability and tools for quickly creating custom
authentication modules. This allows enPortal users to leverage Single Sign-On to
enable them to auto-login to any application, including custom home-built applications
with proprietary login mechanisms. Over the years, Edge has developed many of these
custom authentications for a variety of applications.
IP Address and Session Limiting
One of the validations that can be required before a session is established is to check
the user’s source network address and only allow certain roles to be accessed from
specified networks. The administrator is able to restrict the content available to that
role to only users who are assigned that role and who are accessing the system from
within a known and approved network.
enPortal provides for several session-based constraints including:
1. Limiting the number of simultaneous active sessions for a specific set of users
or Domains
2. Limiting initial sessions to a set time and/or defining the duration of extensions
when users are actively using the system
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
19
3. Determining what action to take if a user attempts to start a new session when
an existing session already exists: Block access, terminate previous sessions, or
prompt user to terminate the active session or cancel the login request
4. Displaying a security statement to be acknowledged prior to login
Branding and Customization
enPortal offers many features for uniquely branding the presentation of the Edge user
interface, along with HTML content from proxied applications, so the user has a
completely customized and unified experience.
Custom Login Page – The default enPortal login screen can be customized,
allowing for a variety of static or dynamic content to be displayed as users access
the system. Custom login screens can also provide links to relevant information
or resources. A service provider, for example, might include information on new
customer offerings.
Figure 7. Default login screen
Figure 8. Custom login screen
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
20
Look and Feel – By using the configuration tools in the enPortal administration
interface, the administrator can modify the enPortal Look and Feel (LAF), create
multiple versions of the LAF, and assign different LAFs on a per-domain or per-
role basis.
Content Views – When logging in to enPortal, the content presented to each
user is tailored to meet the needs of his business function. This is accomplished
by customizing the Views that are assigned to each role in the system. The
enPortal administration interface provides all of the tools for managing this
customization.
Security Policies – The administrator can also set custom security policies. This
locks down the content in the system and ensures that users can only access the
information to which they have security privileges. Read, write, and view
privileges can be restricted by user, role, or domain.
API – In addition to the customization options noted above which are available in
the standard UI, enPortal also provides an API to allow for additional
customization of the system at a programmatic level.
Executive Views
An integration platform needs to provide different types of information to different
types of employees. In addition to the GUI-layer integrations provided by enPortal,
Edge offers an add-on visualization layer capability, called AppBoardTM, which provides
additional integration directly at the data layer through data adapters. This unique
deployment model now allows for customer, executive, or situational awareness views
of information while still allowing access in context directly to web layer tools. This also
offers additional ways for the system designer to always provide the right data to the
right user with clear and concise visualizations.
The AppBoard visualization view can add value with elements such as:
Providing high-level summaries, with drill-down to greater detail
Providing drill-down to full use of integrated tools
Transforming event data to service impact information
Providing visualization of information derived from multiple data sources
Supporting presentation on mobile devices
The combination of the GUI-based AppBoard Builder, SDK, widgets, and data adapters
allow the dashboard builder to rapidly integrate and visualize raw data. These
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
21
visualizations are then available for presentation alongside the enPortal views of
integrated application GUIs. AppBoard is licensed separately from enPortal but both
servers are deployed together as a single, cohesive server.
Figure 9 demonstrates how enPortal and AppBoard work together to provide a full
suite of integration. enPortal’s PIMs provide GUI-layer integration of existing
application interfaces, while AppBoard’s Data Adapters provide data-layer integration
through direct connections to application databases or web services:
Figure 9: Comparing integration through enPortal and AppBoard
Figures 10 and 11 show examples of visualizations that combine enPortal GUI-layer PIM
integrations together with AppBoard data-layer visualizations:
Figure 10: Device Status, Network Topology, Bandwidth Utilization, and Ticket List from
suite of integrated IBM Tivoli Software applications
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
22
Figure 11: Enterprise View using PIMs and Data Adapters
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
23
enPortal Deployment Models
enPortal solves different integration challenges for different organizations. The
following sections outline the typical models for how enPortal can be deployed.
Deployment Model 1: For Internal Users
The first deployment option for enPortal is for internal use, such as in a Network
Operations Center. In this model, enPortal augments both the security and operational
efficiency of your organization (see Figure 12: enPortal internal deployment).
Figure 12: enPortal internal deployment
enPortal provides different application views to different teams, such as Engineering,
Management, or Executive. Each team is provided direct, secure access to only the
applications relevant to their function. This enables enPortal to always provide the
right picture to the right user.
For Government agencies, the advanced security features of enPortal enhance
applications to meet stringent security requirements that go beyond the existing
capabilities of those individual native applications.
Edge Technologies’ enPortal is the industry’s only COTS-based integration platform
focused specifically on network management application integration. The Internal
delivery model of enPortal enhances security and operational efficiency in many ways:
Allowing organizations to provide secure access to interactive back-end
applications
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
24
Providing consolidated Single Sign-On
Centrally coordinating interaction between applications – with little or no coding
Improve user experience by providing a more unified look and feel for disparate
existing applications
Deployment Model 2a: For External Users or Customers with Multi-Tenancy
The second enPortal deployment option is frequently used by Managed Service
Providers to generate revenue. These organizations service multiple external
customers by allowing their end-users to access enPortal via the internet (see Figure
13: enPortal deployment to multiple customers).
Figure 13: enPortal deployment to multiple customers
Each customer is segmented into their own “domain”, with customer access credentials
often managed by integration with an existing user repository, such as LDAP or a web
access management tool like CA SiteMinder. The concept of “multi-tenancy” is utilized,
in which multiple customers are accessing the same enPortal system, but each user can
only access the information and tools that they are authorized to see within that
domain. By locking down access to URLs and content, enPortal can also impose multi-
tenancy on proxied applications, even if the tools do not natively provide it. Each
customer’s experience is also uniquely branded by their marketing team to optimize
the end-user experience.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
25
This deployment model leverages enPortal’s core features - Single Sign-On, PIMs, re-
branding, security, and content manipulation (see Core Features and Capabilities) - to
provide only the appropriate content to each customer and to each individual in that
customer’s user base.
The integration capabilities of enPortal can also provide web access to legacy thick-
client applications that would not otherwise be web accessible.
Deployment Model 2b: In Your Existing External Portal
For many successful organizations, a portal strategy serves as the foundation for
integration. As such, the concept of a portal is maturing rapidly. The original concept of
a portal addressed the need to publish information to users via a web page. Companies
today, however, need a portal that provides more than just static displays of back-end
applications and information. They need a tool that can rapidly integrate applications
into their existing portal infrastructure.
Companies with existing external-facing portals already in place can leverage enPortal’s
proxy technology to increase the value of their existing portal. enPortal reaches well
beyond the capabilities of existing portal solutions that focus primarily on document
management, indexed searches, and static displays of data. enPortal provides true
integration - especially when leveraging enPortal's COTS-based PIMs for integration of
vendor-specific tools and content.
Working with your existing portal, enPortal can rapidly integrate new applications into
the portal framework (see Figure 14: enPortal deployment Inside an existing portal).
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
26
Figure 14: enPortal deployment inside an existing portal
As seen in the above illustration, enPortal increases the value of the existing customer
portal by integrating additional applications. The enPortal proxy integrates applications
as portlets into the existing portal container. enPortal can run in parallel to the existing
portal, immediately providing value without requiring a full replacement of the existing
portal.
In addition to integrating applications, portlets can also integrate individual enPortal
tools into a portal. This can provide enPortal features to administrative users beyond
what may be supported by the existing customer portal. Examples include user/role
management, LDAP integration, Single Sign-On, and dashboard visualizations.
Customer Example
A large telecommunications company used an in-house portal to deliver access to their
customers, over the internet, to a suite of tools for managing their voice, data, and IP
services. The company had requirements for additional features that were not
provided by their existing portal.
The company added enPortal to the existing portal platform. enPortal provided Single
Sign-On capability, application link provisioning, system administration capabilities, and
enhanced security.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
27
Architecture
The enPortal system runs as a web application inside an Apache Tomcat server, and
accesses a JDBC-compliant database (or database cluster). The system is designed with
flexible deployment options, to meet the varying needs of an organization. The
following sections detail these available options.
Design Architecture
Edge enPortal is a standards-based, XML-driven portal application. enPortal was
developed with Java technologies to provide unparalleled flexibility, scalability,
application and content protection, application interaction, and complete platform
independence. enPortal is deployed in a self-contained Tomcat web application with an
embedded H2 database.
In a multi-tier deployment architecture, the first tier is typically one or more customer-
provided hardware load-balancers and/or SSL accelerators. These front-end load-
balancers pass incoming requests to one or more enPortal servers on tier two, running
as Java web applications executing under the Tomcat web/application server (referred
to as the Servlet/JSP engine). The enPortal configuration database is then resident on
tier three, and will often be a redundant database cluster to provide load-balancing and
high availability.
All components support maximum platform independence (UNIX or Windows),
scalability, and overall system performance.
Scalability, Clustering, and Failover
The enPortal system is implemented as a web application. The enPortal web
application server can scale horizontally by replication on additional servers/platforms.
Redundant nodes can also be implemented to provide fault tolerance, allowing users to
be redirected to alternate servers in the event of an outage.
The scalability of enPortal is related to number of page views per second. The
scalability of proxied web integrations can be variable and dependent on the
complexity of the specific integrations used. Typical integrations allow between 5 and
25 integration page requests per second before CPU utilization can become stressed.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
28
With a typical user making three page views per minute and a conservative estimate of
5 integration requests per second, a single enPortal server should handle 150 or more
concurrent users in a typical configuration. The core user model can support essentially
an unlimited number of users who are not logged in.
Basic Deployment
A single enPortal server may be sufficient for handling the requirements of smaller
deployments (see Figure 15: Basic enPortal deployment).
Figure 15: Basic enPortal deployment
High Availability (Failover)
Many organizations require that enPortal will have limited down time over the lifetime
of the deployment. In this case, failover can be implemented by configuring redundant
enPortal servers. If there is an outage on the primary server, enPortal can continue to
provide uninterrupted service by switching to the backup server until the primary
server is repaired (see Figure 16: Failover deployment for High Availability).
Figure 16: Failover Deployment for High Availability
Optimized Performance with Failover (Clustering)
Some organizations further require a platform where many users can access the system
concurrently without impacting the performance of the application. In this case,
clustering of enPortal servers can be implemented to route user sessions to servers
with the smallest load or network traffic (see Figure 17: Clustered deployment for
optimal performance).
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
29
Figure 17: Clustered deployment for optimal performance
Running in Modern Environments
enPortal’s Java and Tomcat infrastructure allow it to be platform independent and run
on any operating system that supports the Java Development Kit (JDK v1.6+). The
enPortal views can be accessed by any supported web browser, including Internet
Explorer, Firefox, or Google Chrome.
enPortal’s flexible configuration options also enable it to co-exist with other software
applications on the same server. By co-locating enPortal on an existing application
server, this can reduce deployment cost and network latency.
Since its initial release in 2000, enPortal has shown the flexibility to run in a variety of
customer environments. Some of these are noted in the following sections.
Virtualized Networks (VMware)
enPortal fully supports running on a virtualized server, or in a virtualized network.
enPortal can also be configured to auto-start so that it will automatically come back
online when a server is re-started. The enPortal license will run on any server that can
resolve to a static hostname or IP address.
IPv6 Network
enPortal can run on an IPv4 network, IPv6 network, or dual-stack network that requires
simultaneous support for both protocols.
Through an Existing Proxy Server
enPortal contains special configuration options for applications that are not directly
accessible and can only be accessed through a separate proxy server. The details for
both the proxy server and back-end application are stored and managed by the
enPortal proxy.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
30
Remote Application Delivery
Several options are available for integrating enPortal with Oracle Secure Global Desktop
(SGD) or similar Remote Application Delivery technologies (e.g. Citrix, Ericom
AccessNow, Resource Dynamics Go-Global). There are different architectures that can
work with enPortal and its proxy, but there are some differences in what may be
supported in each.
Oracle SGD software provides remote access to published applications and published
desktops from a variety of client platforms and devices. The software web-enables
legacy applications and, when used along with enPortal, provides for the delivery of
those applications side-by-side with typical web-based apps.
The enPortal PIM for Oracle SGD lets you to deliver the published application or
desktop in a portal channel. This allows applications that do not natively provide a web-
based interface to be accessed through enPortal. enPortal aggregates application
views, enforces security policies, and presents the application interface. The user’s web
browser client communicates directly and exclusively with enPortal. enPortal proxies
the communication between the web client and the back-end application through the
Oracle SGD server.
Security and performance are top priorities with any web-enablement solution. The
Oracle SGD PIM enforces strict user authentication and controlled role-based access to
specific content as well as the ability to restrict content delivery to defined IP
addresses. The solution tracks all sessions and creates a detailed audit trail for each
session. The Oracle SGD PIM also provides bandwidth management end-to-end with no
change to existing firewalls.
Software Component Architecture
The primary functions of enPortal are contained within five system components:
Request Engine
Business Logic Engine
Integration Engine
Web Resource Proxy and Content Filtering
Object Database
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
31
Request Engine
The Request Engine serves all requests coming from a user via a web browser.
In fact, all external communications with an enPortal system are requested through the
Request Engine. The Request Engine’s primary responsibilities are to translate HTTP(S)
requests into object requests and to dynamically translate the application-specific
results into HTML for transmission to the client web browser.
The Request Engine executes within a Servlet/JSP engine; Java Servlets and JSPs are the
primary components of the Request Engine. The Request Engine also provides an extra
level of access security by verifying that the user is logged in to the system before
accepting and servicing the request.
Business Logic Engine
The Business Logic Engine is responsible for the overall business logic of the system,
enPortal’s security, and the storage of system objects. These responsibilit ies pertain to
users, roles, domains, virtual directory access, and content management.
Business Logic manages and stores system objects to a chosen object
repository/database. The Business Logic Engine runs on the same process (Tomcat as
the JSP/Servlet Engine) as the Request Engine.
Integration Engine
The Integration Engine allows new content Channels to be created and integrated into
an enPortal system at runtime. The Integration Engine consists of a Channel
classification model and a set of Request Handlers that are implemented as Java
Servlets or JSPs. Request Handlers are the public web interfaces into enPortal Channels
that service the Channel requests being made from web browser clients. The
Integration Engine provides an external interface through the Portal Request Engine
that allows HTTP(S) requests to be sent to any plugged-in visual Channel.
Upon receipt of a request to render a content Channel, the Integration Engine retrieves
the specified Channel (if security allows it) from the enPortal server and calls the
specified Request Handler to render the Channel content.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
32
Web Application Proxy and Content Filtering
The web application proxy and content filtering function facilitates the delivery of and
interaction with existing HTTP(S)-based content. It is responsible for applying Single
Sign-On rules to the retrieval of external HTTP(S) requests, and for manipulating the
resulting data streams being returned from an integrated application for control and
data customization. The HTTP(S) stream manipulation support within enPortal is both
extensive and configurable and is available as a Proxy Channel. A potential example of
the use of this function is the removal of an image from an HTML stream as enPortal
delivers the HTTP(S) stream to the browser client.
Object Database
The enPortal Database is a JDBC-compliant RDBMS, and enPortal supports numerous
databases, including Microsoft SQL Server, MySQL, and Oracle. enPortal ships with an
embedded H2 database. The enPortal Database handles mapping between the object-
based data model used within enPortal and the relational database model that stores
the actual content.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
33
About Edge Technologies, Inc.
Edge Technologies is an innovative and proven software company specializing in the
Access, Integration, Visualization, and Understanding of information. Edge products
and services facilitate faster, more complete data integration; user-centric, customized
visualizations; easy, secure information sharing; and enhanced operational awareness
across a diverse set of information stakeholders.
Edge has been delivering leading-edge solutions in many of the world’s most
sophisticated network, intelligence, operational and logistics environments since 1993.
Recognized for the ability to identify, adopt and deploy emerging technology platforms,
Edge’s industry-leading products have proven to be ground breaking solutions that
stand the test of time.
Edge’s technological expertise in developing lasting innovation is fortified by the
company’s value-focused customer and partner relationships. Recognized for
meticulous software engineering and a high-touch customer service approach, Edge’s
success is built on innovative technology driven by experienced, customer-focused
personnel.
The Edge Agile Development Methodology first identifies customer challenges, then
applies design expertise and innovation to create better solutions and backs it all by the
people and technology to ensure the solutions work in the real-world and for the long-
haul.
Unlike competitive offerings, Edge’s products are designed with both the development
staff and the executive team in mind. Edge software toolkits do the heavy lifting to
streamline internal development efforts, accelerate time to market, and empower staff
to focus on situational and operational objectives. What’s more, Edge’s advanced
software architecture enables its products to easily scale to handle hundreds of
concurrent users.
Edge empowers businesses and government agencies to fulfill the potential of their
network and business systems management assets to make better decisions faster.
www.edge-technologies.com
White Paper | ©2016 Edge Technologies, Inc.
34
Appendix A: enPortal Product Integrations
Edge provides pre-built integrations for products from these vendors:
AirTight Networks
Alcatel-Lucent
Apica
AppDynamics
AppNeta
Arbor Networks
Axios Systems
BMC Software
CA Technologies
Cisco Networks
Citrix
Compuware
Cuculus
EIQ
EMC
eMite
Entuity
Fluke Networks
Fortinet
HP
IBM
IneoQuest
Infoblox
InfoVista
Interactive Intelligence
Ipanema Technologies
Koverse
LiveAction
ManageEngine
McAfee
Monolith Software
MYCOM OSI
Nagios
NetBoss
NetWitness
Oracle
Plixer
Resilient Systems
Riverbed
SAP
ScienceLogic
ServiceNow
SevOne
SolarWinds
Splunk
Tableau
Talisma
Tektronix
Viador
Visionael
VMware
Websense
xMatters
Zenoss
The above list continues to expand as Edge generates PIMs for new applications. The
complete list of PIMs can be found on the Edge Documentation site.