APTARE Architecture and Security Technical Note
Version 10.2.01P10
APTARE Architecture and Security Technical Note
APTARE can be deployed securely in a variety of operational environments, including a private LAN, virtual private network (VPN), corporate Intranet, multi-tenant, and even the public Internet. The security features for APTARE communications (for example, between Web Client and Host) can be customized for your operational environment. APTARE can be configured to provide an end-to-end security context between the user’s browser and the APTARE Portal Server which provides security, privacy, user authentication and no repudiation. Messages between the APTARE Web Client and Portal Server (Portal) are secured when the server is configured to use HTTPS/SSL, which provides for authentication and encryption of traffic. SSL communication between the Portal and the Data Collectors is fully supported.
APTARE has a hub and spoke architecture with two main components:
Portal: A centralized location (the underlying database is embedded and includes licenses, etc. for Oracle 12c).
Data Collectors: For Backup Manager, the Data Collector interfaces with the underlying Backup Vendor Products (for example, Veritas NetBackup, Veritas Backup Exec, IBM Spectrum Protect (TSM), EMC Avamar, EMC NetWorker, HP Data Protector, Veeam Backup & Replication, Oracle Recovery Manager (RMAN or Commvault Simpana) using the standard published interfaces to that backup product. Likewise, for Capacity Manager, the Data Collector uses storage array mechanisms specific to each vendor’s storage system (for example, HDS, IBM, EMC Symmetrix, EMC CLARiiON, Pure Storage, and NetApp). In addition, Host Resources data is acquired. The data is parsed and packaged into Java objects; serialized into an HTTP or HTTPS data stream, compressed and sent over network via port 80 (HTTP) or port 443 (HTTPS) and inserted into the underlying Portal database.
Portal Server Architecture
APTARE uses a three-tiered architecture on the Portal Server(s):
Web Server: Embeds Apache and applies the latest set of Apache security patches to eliminate all known security vulnerabilities.
Apache Tomcat: Uses Tomcat as the Java Servlet engine. The system communicates between Apache and Tomcat using standard Apache connectors.
Oracle 12c database: Communicates with the Oracle 12c database using JDBC.
The Portal deploys Apache Tomcat on a single web server and the Oracle 12c database on its own dedicated system.
For a complete list of supported environments, see https://aptare.com/supportedenvs
Figure 1.1 Architecture with Port Numbers
Web Browser Security
All Portal features, including Capacity Manager, are accessible through a standard web browser that supports HTML 5. This native browser integration eliminates the need for Java applets, ActiveX controls, or any other piece of client-installed software. This browser-based user interface allows corporations to leverage standards-based security, such as SSL, to protect and encrypt traffic between the Portal and the client browser.
User Authentication
The Portal supports the following user authentication methods:
Local LDAP. The Portal bundles OpenLDAP to manage user login authentication. For information about OpenLDAP, go to http://www.openldap.org.
Enterprise LDAP. Refers to any standard LDAP service, including Microsoft Active Directory. For information about Active Directory, go to Microsoft’s Active Directory portal.
By default, the Portal uses OpenLDAP for user authentication.