An authorization system in practice always requires authentication. Within the Integration Service, the ImaUserlibService provides methods for password management with basic authentication according to [RFC2617]. In all web service requests of the Integration Service, information about an ImageMaster role is provided in the request header for authorization.
In practice, a main security topic is always to conceal critical authentication information from the public, which can be achieved by using the HTTPS protocol. The unencrypted HTTP protocol is also supported, which can be useful for tests or high performance scenarios, in particular when communication between the Integration Service and another system is established in an otherwise secured area (e.g. protected by firewalls or via VPN tunneling).
All conceivable communication channels in an ImageMaster environment support certificate-based SSL/TLS encryption and make use of standardized security approaches:
-
basic authentication and WS-Security for the Integration Service and the File Interoperability Service
-
using the SFTP protocol in the underlying file archiving architecture
-
using the HTTPS protocol in client communication (WorkplaceClient and AdminClient)
-
peripheral security configurations (as supported by the application servers)
-
security for integrated third-party products (e.g. Oracle Transparent Network Encryption and Integrity)
Corresponding configuration options for security are reflected in the installation process [IM ImageMaster], where e.g. the installation of certificates is required
The LDAP feature provided with the ImageMaster system allows the creation of users in an existing LDAP or MS Active Directory (AD) infrastructure, with an assignment of roles in ImageMaster, thereby defining the user’s access permissions to ImageMaster features [SM Authentication]
In scenarios with strong security requirements the integrated password manager can be set up to protect the system to such an extent that all communication channels, which are based on internal, encrypted passwords, must be unlocked by a master password during system startup (see chapter Optional and internally used web services “ImaSecurityService”). This complies with the strict requirements of the standardized Telekom PSA process [Telekom PSA], which aims at integrating requirements for security and data privacy into projects and system implementations, to guarantee for an appropriate level of protection.
Two-factor authentication is supported to further protect access to user accounts. By this feature a regular username and password check is combined with a second authentication factor such as a hardware token or a mobile device app, which generates a short one-time code that must be entered to complete the login process.