- About
- Products
- Services
- Locations
- Partners
- Developers
- Resources
- News/Events
- Customers
Entrust GetAccess™:
Get Technical
Architecture
The detailed architecture diagram, right, is intended to serve as a reference architecture for how the system can be deployed in a typical environment.
The Entrust GetAccess architecture is divided into multiple parts, or Web tiers. In typical deployments, firewalls are used to help control access to resources placed in these tiers. From the Internet a “De-militarized Zone” or DMZ is the only access point to a company’s public resources, normally served up through a Web server behind a “soft” firewall. The backend business data and logic are protected by a “hard” firewall that does not allow Internet traffic through. The DMZ serves as a separation between outside, un-trusted sources (the Internet) and an organization's sensitive back-end systems and data.
First Web Tier: Client Side (Internet)
No Entrust GetAccess components are located on the client side. The only requirement for the end user is a standard Internet browser (such as Microsoft Internet Explorer or Netscape Communicator).
Second Web Tier: Web Servers, Entrust GetAccess Runtime (DMZ)
In typical Entrust GetAccess deployments, the only component located in the first tier (DMZ) is the Entrust GetAccess Runtime. The Entrust GetAccess Runtime is a light-weight plug-in or a filter for Web servers that protects your Web resources and ensures that all access to protected resources are only permitted by users that have been identified and are appropriately authorized. Specifically, it intercepts incoming requests for resources — protected or not — and redirects all requests to an Entrust GetAccess Server component (Entitlements Service) to process the user authentication and resource authorization, as well as create a new or validate an existing user session. If any of the criteria are not met (e.g. the user is not authorized to access the resource or the user has been revoked from the system), the Runtime will prevent the request from going forward, and will instead redirect the user to an appropriate page (e.g. login page if not authenticated, timeout error page if session is timed out).The Entrust GetAccess Runtime also routes login requests to the Access Service. The Entrust GetAccess Runtime handles the necessary communications with the Entrust GetAccess back-end infrastructure so that no Internet traffic is ever permitted onto the secure network.
Third Web Tier: Entrust GetAccess Server Components
All logging, session management, authentication, authorization, and security services functionality resides within the Entrust GetAccess back-end services. Written entirely in Java and built on top of sophisticated standards-based foundation components, these services allow the architecture to deliver the capabilities, throughput, and fault-tolerance required in a complete Web portal solution.
Some of the specific components that are typically deployed in this tier are:
- Access Service
- The Access Service runs atop the Entrust GetAccess Infrastructure and is deployed as a servlet for high performance. It is responsible for front-ending user enrollment and authentication/authorization requests, as well as providing personalization by creating a user-specific resource menu. While the proper business logic for processing of these types of requests are handled by other Entrust GetAccess back-end components, the Access Service brokers the transactions between the user and the back-end in order to support extremely secure deployment architectures.
- Entitlements Service
- The Entitlements Service determines the resources that users are allowed to access. It performs the user's authorization such as checking the user's Entrust GetAccess cookie for a valid session, comparing the roles of the user to those of the requested resources, checks for policy rule restrictions assigned to the requested resource, and checks if the requested resource is protected by Entrust TruePass and if the user has logged in to Entrust TruePass. If the user has not logged into Entrust TruePass, it invokes the Entrust TruePass Web service to identify the user. The Entitlements Service then tells the Runtime Service to allow or disallow access to the resource.
- PAAMs (Pluggable Authentication and Authorization Modules)
- These components are software modules that can be seamlessly “plugged in” to the Entrust GetAccess architecture to support a particular authentication method. Out of the box, Entrust GetAccess delivers PAAMs to support a variety of methods including passwords, external directories, tokens, and certificates. Seamless integration via a Web service is also provided out of the box for the Entrust TruePass™ product.
- Logging Service
- This centralized service is responsible for maintaining detailed logs of all end-user (logins, logouts, timeouts, etc.), administrative (user creation, privilege assignment, etc.), and system (component startup/shutdown, etc.) activity. Having all of this information maintained in a centralized manner provides enhanced security and convenience as there is one location for securing, auditing, and archiving log information.
- Session Management Service (SMS)
- The Entrust GetAccess SMS manages a central session table for all users that are currently using the system. Having a centralized SMS delivers many important security capabilities including:
- Real-time revocation of users across all servers and domains
- Idle and session timeout enforcement across all servers and domains
- Management of the end-user's unique session ID cookie that is limited to 128-bits in size and does not contain any user-sensitive information