connect 2016 - ibm mobile connect - real world usage scenarios
Post on 08-Jan-2017
983 Views
Preview:
TRANSCRIPT
MakeEvery
MomentCount
2016ConnectThe Premier Social Business and Digital Experience Conference
#ibmconnect
1130 – IBM Mobile Connect Real World Usage Scenarios René Winkelmeyer, midpoints GmbH Sun, 31 Jan 2016
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Agenda
• IBM Mobile Connect at a glance • Scenario “Configuration for IBM Traveler (and others)” • Security considerations – Certificate based authentication • Security considerations – MDM integration
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
About me
IBM Advanced Business Partner IBM Design Partner (Notes Domino, Mobile, Verse)
Apple Enterprise Developer and MDM Group Member Samsung Enterprise Alliance Partner
Worldwide Service Offerings - Enterprise Mobility - Mobile Device and Application Management - IBM Traveler and IBM Mobile Connect implementation + custom addon products
René Winkelmeyer Head of Development
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
About me Reach out any time
Skype / Twitter / LinkedIn => muenzpraeger
Web https://blog.winkelmeyer.com http://www.midpoints.de
Mail mail@winkelmeyer.com rene.winkelmeyer@midpoints.de
René Winkelmeyer Head of Development
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
What is this session about? • Enhancements and new configurations of IBM Mobile connect
to make your live easier.
• If you look for a starter guide please check out my slides from Lotusphere 2012 and 2013.
MakeEvery
MomentCount
2016ConnectThe Premier Social Business and Digital Experience Conference
#ibmconnect
IBM Mobile Connect at a glance
Latest version of this slidedeck is available on https://slideshare.net/muenzpraeger
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IBM Mobile Connect – Specifications • Current version:
§ 6.1.5.2
• Server § Windows - 2003/2008/2012 Server § Linux – Red Hat Enterprise & SuSE Enterprise Server § AIX
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IBM Mobile Connect – Specifications • Mobility (VPN) Clients
§ Microsoft Windows 2000, XP, Vista, 7 § OS X § Linux (Red Hat, SuSE, Novell) § Windows Mobile inkl. 6.5, Symbian (ausgewählte Devices), Palm § Android
• Browser § IE, Firefox, Safari, Chrome
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IBM Mobile Connect – Capabilities • VPN gateway
§ Clients are available for Windows, Mac, Linux, Android
• WiFi gateway
• Clientless gateway § HTTP access, like browsers or mobile apps Focus
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Reverse Proxy – why and how? • A Reverse Proxy acts as a tier between a requester (i. e.
browser) and a backend system.
• In contrast to a Forwarding Proxy a Reverse Proxy acts on behalf of the web server.
• The Reverse Proxy forwards the incoming request to the backend system and sends the response back to the user.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Reverse Proxy – why and how?
Backend system Reverse Proxy
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
What is a Secure Reverse Proxy? • Defined endpoint for encrypted communication between
external clients and internal systems.
• Central authentication and Single-Sign-On for all connected backend systems.
• Access authorisation for the connected backend systems.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IBM Mobile Connect as Secure Reverse Proxy • Single-Sign-On using username/password or certificates for
IBM backend systems
• Authentication sources are Domino LDAP or Active Directory
• Single URL access
• Automatic IBM Traveler Pool assignment
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Infrastructure scenarios
Traveler
Sametime
Connections
HTTPS HTTP(S)
External URL: https://mobile.midpoints.net /traveler
/chat /social Backend
systems
Secure Reverse Proxy
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Infrastructure scenarios
Domino Mail
Domino Mail
Domino Mail
Traveler 1
Traveler 2
Traveler 3
HTTPS
Notes
HTTP(S)
External URL: https://mobile.midpoints.net/traveler
IBM DB2 / MS SQL
IBM DB2 / MS SQL
DB2/SQL
Traveler HA Service Pool
Secure Reverse Proxywith Load Balancing
and Failover
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Why IBM Mobile Connect – and not others? • Native integration for all IBM Collaboration products
• Up-to-date TLS stack
• Scaling – one server can handle 10k parallel accesses
• MDM integration
• IBM support
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Remember Domino and SHA2?
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IBM Mobile Connect – Components • Connection Manager
§ The IMC Connection Manager is the main component. He forwards the client requests to the backend systems.
• Gatekeeper § A Java-based administration client for IMC. Can be installed on
the same or another system as the Connection Manager.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IBM Mobile Connect – Components • Access Manager
§ Gets installed with the Connection Manager on the server. It is responsible for pushing the configuration changes (from the Gatekeeper) to the internal used database. It also updates the Connection Manager dynamically.
MakeEvery
MomentCount
2016ConnectThe Premier Social Business and Digital Experience Conference
#ibmconnect
Scenario “Configuration for IBM Traveler (and others)”
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IBM Traveler and IBM Mobile Connect • Mobile mail access is a critical component nowadays in every
environment. So is Traveler.
• Different environment setups are possible for Traveler § Standalone setup § High Availability with one or multiple pools
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IBM Traveler – Pool definition / challenges • A “Traveler pool” is the logical combination of multiple Traveler
servers that share the same backend database. § A single pool can serve up to 10k devices. § The Traveler servers handle load balancing internally.
• Different setups are possible, like splitting pools by device type, user region and more. § Without a centralized proxy all will have different entrypoint
URLs.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IBM Traveler – How IBM Mobile Connect helps • IMC has four main features that improve the Traveler
experience. § Defined proxy rules for Traveler access § Session assignment § Single URL support § Automatic Server/Pool assignment
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IMC workflow (simplified) Authenticated user connects
Check if Pool assignment is active
Validate user LDAP attribute
set not set
assign don‘t assign
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Automatic Server/Pool assignment configuration • Define within a http-access service which LDAP attribute
should be queried
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Automatic Server/Pool assignment configuration • An “Application server pool” is a dedicated resource type
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Automatic Server/Pool assignment configuration • A “Pool configuration” contains one or multiple backend host
names.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Automatic Server/Pool assignment configuration • One or multiple strings can be added for the automatic pool
assignment. The value must match the content of the LDAP field.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Automatic Server/Pool assignment configuration • Multiple server pools can be defined.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Automatic Server/Pool assignment configuration • Activate the application server pool usage in the http-access
service
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Adding more apps • Besides Traveler all ESS backend systems are supported with
specialized URL and content handling § i. e. URL rewriting of transmitted content
• Delivers perfect integration including SSO capabilities § IBM Connections § IBM Connections Chat § IBM Domino
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Adding more apps • Simplified by application specific identifier.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Summary • The built-in capabilities help to deliver a streamlined
administrative experience.
• Hassle-free connection to IBM ESS backend systems. § LTPA1 and LTPA2
MakeEvery
MomentCount
2016ConnectThe Premier Social Business and Digital Experience Conference
#ibmconnect
Security considerations – Certificate based authentication
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Certificates? Certificates! • A high level of security can be achieved by using certificates for
authentication.
• Certificates are a common practice for verifying clients and servers. The latter one is mostly known as “SSL hostname authentication”. § Companies are moving more and more to client certificate based
authentication for different services. § Domino companies should be familiar with that… ;-)
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Why to setup IBM Mobile Connect for this? • Achieve a higher level of security by using certificate based
authentication for your critical data. § Different setup scenarios are available.
• Remove the need of using passwords – make it easier for your users. But only if you want.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IMC workflow (simplified)
Client presents certificate
2FA
IMC validates public key and validity
LDAP
Subject string check
SSO
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Configuring Certificate based authentication • The standard authentication process leverages an username/
password combination.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Configuring Certificate based authentication • Add 2-Factor-Authentication by enforcing additional password
usage. § Can be enriched with user id check
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Configuring Certificate based authentication • Trust your certificates and resolve the username based on
certificate criteria.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Configuring Certificate based authentication • Additional security/alternatives can be added using a custom
string match.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Summary • Certificate based authentication enhances your backend
applications security.
• Different setups allow to leverage it as you need it.
• Certificate deployment options need to be revisited. § Not all IBM ESS apps support certificate based authentication
(yet).
MakeEvery
MomentCount
2016ConnectThe Premier Social Business and Digital Experience Conference
#ibmconnect
Security considerations – MDM integration
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
What is MDM? • Mobile Device Management (MDM) is used to manage devices
and applications in your mobile workforce § Lots of companies still don’t use a MDM. And you?
• Allows remote device configuration, data and device deletion, app deployment and much more.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Why MDM integration for IBM Mobile Connect? • A Reverse Proxy authenticates only the user – not the device.
So no control if “unmanaged” devices can access internal resources. § Jailbroken/rooted devices § Data Loss Prevention
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IMC / MDM integration infrastructure
Domino Mail
Domino Mail
Domino Mail
IBM Notes Traveler MDM
HTTPS
Notes
HTTP(S)
External URL: https://mobile.midpoints.net/traveler https://mobile.midpoints.net/connections
Services
IBM Mobile Connect IBM Connections
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
How does the MDM integration work? • Depending on the incoming request different values are
evaluated. § Traveler identification is determined by the submitted sync device
id in the URL call. § IBM ESS apps are sending custom headers with their
authorization requests. Those headers are set via MDM.
• Custom access definitions, like “allow” or “deny”, are then applied.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IMC workflow (simplified)
User is authenticated
allowed
Device information is extracted
not allowed
Device is validated via MDM interface
access no access
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Configuring MDM integration • “MDM Integration” is a separate resource type
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Configuring MDM integration • Validation results (and outcome) are configurable.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Configuring MDM integration • Enhanced checks are available like compliance re-validation
and user mapping.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Configuring MDM integration • Custom “tokens” can be used for different setups on the same
vendor.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
IBM Mobile Connect configuration • Besided tight security you can also go a little bit loose.
§ Great for migration scenarios.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Available MDM integrations
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Summary • MDM integration enhances the security by adding an additional
layer of security.
• Different setup scenarios are available to fit your organizations needs.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
57
MakeEvery
MomentCount
2016ConnectThe Premier Social Business and Digital Experience Conference
#ibmconnect
MakeEvery
MomentCount
2016ConnectThe Premier Social Business and Digital Experience Conference
#ibmconnect
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Acknowledgements and Disclaimers Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
2016ConnectThe Premier Social Business and Digital Experience Conference
Ma
ke Every Mom
ent Coun
t
Acknowledgements and Disclaimers cont. © Copyright IBM Corporation 2015. All rights reserved.
• U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
• IBM, the IBM logo, ibm.com, IBM Domino, IBM Sametime, IBM Connections are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
“Maas360” is a trademark of Fiberlink Communications Corporation.
Other company, product, or service names may be trademarks or service marks of others.
top related