Friday February 23, 2007 Communication Express: Authentications Between Components
In my previous discussion, we talked about Single Sign-On. One of the responses that I received, "dk" asked..
Isn't Access Manager also required for SSO to Calendar server from Comm Express?
The answer to this question is no. SSO is not required for Calendar Server. This hasn't been required unless you are using the old Calendar Express client.
The drawing below explains much of the interfaces between Communication Express and Calendar Server. This deployment represents Communications Express version 6.2 or earlier.
The above shows that Communications Express (UWC) 6.2 its interfaces with both Messaging Server and Calendar Server. The above shows that the Messaging Express Multiplexor (MEM) sits as a peer to UWC, and the browser provides the unification between the two. In this case, SSO is required to provide authenticated sessions between the two peered web services.
The connection from UWC to Calendar is using Web Calendar Access Protocol (WCAP). The connection between UWC and the Calendar Server is using an administrative account (usually called calmaster) to provide authentication for retrieval of the Calendar data. This mechanism is called proxy-authentication (or proxy-auth) where the calmaster logs in as a super-user to retrieve data. The calmaster user is created in the installation process, and the user is registered as an LDAP user entry. The UWC servlet connects as this user, and therefore Access Manager and Messaging SSO is never required between UWC and the Calendar Server. SSO may still be needed for authenticated sessions between the Sun Java Portal Server's Calendar Portlet and Calendar Server.
The connection from the MEM to the Message Store's mshttpd is also using proxy-auth. A mail administrative user is created during the configurations steps of the MEM installation. The mail user is also created as a LDAP user entry.
The following shows what the upcoming Communications Express 6.3 will look like.
In the above authentication model, UWC and the MEM are no longer peers. The end-user browser will never again connect to the MEM, so therefore SSO is not require between UWC and MEM. As before, the Calendar Server sits behind UWC. At this point, UWC performs proxy-auth to both Calendar Server and Messaging Server.
In my next post, we will look at deployments on two tiers. Communications between front-end and back-end systems.
Please feel free to leave comments.
Technorati Tags: Calendar Server, LDAP, Messaging, Solaris, UWC
( Feb 23 2007, 08:30:53 AM PST ) Permalink
Comments are closed for this entry.