This document explains how to use the Security Zones Self Service User Interface to manage entries in the VPN Security Zone configuration of an Adobe Campaign Classic (6.11 & 7) deployment.

Introduction

Security Zones play an important part in securing Adobe Campaign Classic installations. Their configurations are listed in the global serverConf.xml configuration file or in the instance configuration file config-<instance>.xml as a nested series of securityZone and subNetwork elements.

In Managed Services (Adobe hosted) deployments of Adobe Campaign Classic access to these configuration files are restricted to TechOps and the configuration itself is automatically generated from configuration management. This makes it a tedious and error prone back-and-forth process to update and configure as customers' environments change.

Typically, changes in customers' environments are related to making sure a customer's user gets access to the Campaign instance with the Windows Console application.

Using the Security Zones Self Service User Interface, two kinds of Security Zone entries can be managed:

  • More entries for the vpn security zone. These entries inherit all the permissions assigned to the vpn security zone and allowing all users assigned to the vpn security zone to access the system. These entries are to be used for Windows Console users.
  • More entries for a web services security zone. These entries inherit all the permissions of the vpn security zone and are granted the allowUserPassword and sessiontokenOnly permissions. These entries are to be used for web services consumers.

Prerequisites

Merk:

The Security Zones Self Service User Interface is installed by Adobe upon request by customers.

If your instance has been provisioned with the Security Zones Self Service User Interface, you see a Security Zones entry in the Explorer's navigation tree of the Campaign Classic Console:

sz-navtree

Editing Security Zones

To edit the Security Zones, click the Explorer tab and select Administration > Configuration > Security Zones.

sz-ui

The list shows existing configured Security Zone entries. After first installing the Security Zones Self Service User Interface, the list will be empty.

  • In the bottom half of the window on the right, you can edit the currently selected entry.
  • To add an entry, click the Create icon. A dialog with a form pops up to enter the entry data. Select Ok to check the input and save the entry or Cancel to cancel creating an entry.
  • To remove an entry, select it and click the Delete icon. A dialog pops up to confirm the deletion. Select Ok to remove the entry or Cancel to cancel and keep the entry.
  • You can also duplicate an existing entry by right-clicking it and selecting Duplicate... from the pop-up menu.

Validations on Entries

The Security Zones configuration entries are validated as follows:

Fields Requirements
Name
  • Must not be empty
  • Must be unique among all Security Zones configuration entries
Mask
Label No validation necessary as the label is purely informative

A validation failure is indicated with a dialog box indicating the problem. The entry can only be saved if validation is successful.

Mapping Entries to Configuration

The configuration entries are mapped to <securityZone> elements in the instance configuration file as follows:

Fields Description
Web service

An entry is created as a <subNetwork> element inside an <securityZone> element as follows:

  • Box not checked: as an element in a <securityZone> equivalent to the vpn Security Zone
  • Box checked: as an element in a <securityZone) equivalent to the vpn Security Zone plus permissions allowUserPassword and sessiontokenOnly
Name @name attribute of the <subNetwork> element
Label @label attribute of the <subNetwork> element
Mask @mask attribute of the <subNetwork> element

Merk:

The @proxyMask attribute of the <subNetwork> element is globally defined and cannot be edited for individual entries. See the section Configuring the @proxyMask below.

Transferring Security Zones

All security zones entries entered in this user interface are stored in the database only and require an explicit process for them to become active:

  • When the instance restarts the startup script forces the transfer of the configuration entries stored in the database into the instance's configuration file. Generally, an instance restart is forced daily.
  • To immediately test your configurations click the Transfer Security Zones button to show this dialog:
sz-transfer

Upon clicking the Ok button, the entries from the database are transferred into the instance's configuration file. By default, this configuration is not reloaded on your instance. To have it reloaded and thus activated immediately check the Check to reload configuration after transfer box.

Merk:

If instance is composed of multiple containers, other containers update within 30mn.

Configuring the @proxyMask

The @proxyMask for the <subNetwork> element is global configured with the adbSecurityZonesProxy option.

configuring_proxymask

Dette produktet er lisensiert i henhold til Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Innlegg på Twitter™ og Facebook dekkes ikke av Creative Commons-vilkår.

Juridiske merknader   |   Regler for personvern på nettet