When using HTTP-based message protocols – AS2, secure file, ebXML, web services, Rosettanet – security considerations are similar to hosting a web server. There are industry-standard solutions to make this type of communication secure. Solutions recommended for Activator are described in the following topics.
You can configure Activator to accept incoming HTTP connections directly from trading partners by adding an inbound delivery exchange that uses the embedded HTTP server. The following is a list of safety options to use in conjunction with the embedded server. The options are numbered from lowest to highest security.
It is safe to allow inbound connections directly to the embedded HTTP server if your message validation rules require messages (payloads) to be signed and encrypted (the default). This is true even if Activator is running on a machine within your protected network, because the embedded server rejects any message that was not signed with the partner’s private key.
This level of security is sufficient for most applications.
Advantage: High level of security with minimal per-partner maintenance overhead.
Disadvantage: Does not protect against denial-of-service attacks.
An additional level of security can be achieved by configuring rules on your firewall to allow only inbound connections from known-partner IP addresses. You also can allow connections only to designated ports (for example, 4080 and 1443).
This level of security, in combination with requiring signed and encrypted payloads, is very high and should be sufficient for virtually all applications.
Advantage: Protects against denial-of-service attacks.
Disadvantage: IP address filtering requires updating firewall rules when a partner is added or removed.
If receiving any unencrypted messages, you should require your partners to connect using HTTPS (SSL) so no one on the Internet can eavesdrop on the contents.
Advantage: Eavesdroppers are thwarted even if messages are not encrypted.
Disadvantage: Extra CPU load introduced by SSL (but see option 5). The user cannot configure the encryption algorithm for HTTPS. It is better to require message-level security because the encryption algorithms are stronger.
With SSL, an additional level of security called client authentication can be configured. This option is selected by default when you define an SSL embedded server in Activator. Client authentication requires your partner to present a certificate before the inbound connection can be accepted. This is similar to the concept of requiring payloads to be signed.
If you choose to allow unsigned payloads, it is highly recommended that you require client-authenticated SSL to prevent connections from being accepted from unknown parties.
Advantage: Unwanted connections are refused as early as possible, before any part of the payload is received.
Disadvantage: Within Activator you must maintain a list of trusted SSL client-authentication certificates for each partner. This is in addition to the list of partner certificates you must maintain for encrypting messages and verifying signatures.
Options 3 and 4 describe SSL and client-authenticated SSL in terms of the embedded HTTPS server. But the best performance and highest security can be achieved with a hardware device in the DMZ to terminate SSL connections.
Your existing load balancer may be able to do this or you may be able to purchase an add-on SSL module. Alternatively, some vendors offer SSL accelerator cards that can be installed in a server to terminate SSL connections.
Advantage: Off-loads CPU-intensive SSL processing from Activator to the hardware device. Connections are refused in the DMZ before they reach Activator. Very high resistance to denial-of-service attacks.
Disadvantage: Requires external hardware device or card. If client-authenticated SSL is used, requires a list of trusted SSL client-authentication certificates to be maintained outside of Activator using software included with your hardware device.
In summary, most users choose one of the following levels of security when employing the embedded HTTP server.
A staged HTTP server usually resides in your DMZ, accepts incoming connections and stages incoming messages to disk. A servlet installed on the external HTTP server allows Activator to poll for inbound files that have been dropped off by partners. Functionally, the interaction of Activator with a staged HTTP server is similar to the way it interacts with an FTP server. Commonly used HTTP servers include Tomcat, WebLogic and WebSphere.
The following topics describe advantages and disadvantages to this transport.