Security Zones play an important part in securing Adobe Campaign Classic installations. Their configurations are listed in the global serverConf.xml configuration file or in the instance configuration file config-<instance>.xml as a nested series of securityZone and subNetwork elements.
In Managed Services (Adobe hosted) deployments of Adobe Campaign Classic access to these configuration files are restricted to TechOps and the configuration itself is automatically generated from configuration management. This makes it a tedious and error prone back-and-forth process to update and configure as customers' environments change.
Typically, changes in customers' environments are related to making sure a customer's user gets access to the Campaign instance with the Windows Console application.
Using the Security Zones Self Service User Interface, two kinds of Security Zone entries can be managed:
- More entries for the vpn security zone. These entries inherit all the permissions assigned to the vpn security zone and allowing all users assigned to the vpn security zone to access the system. These entries are to be used for Windows Console users.
- More entries for a web services security zone. These entries inherit all the permissions of the vpn security zone and are granted the allowUserPassword and sessiontokenOnly permissions. These entries are to be used for web services consumers.
The Security Zones Self Service User Interface is installed by Adobe upon request by customers.
If your instance has been provisioned with the Security Zones Self Service User Interface, you see a Security Zones entry in the Explorer's navigation tree of the Campaign Classic Console:
To edit the Security Zones, click the Explorer tab and select Administration > Configuration > Security Zones.
The list shows existing configured Security Zone entries. After first installing the Security Zones Self Service User Interface, the list will be empty.
- In the bottom half of the window on the right, you can edit the currently selected entry.
- To add an entry, click the Create icon. A dialog with a form pops up to enter the entry data. Select Ok to check the input and save the entry or Cancel to cancel creating an entry.
- To remove an entry, select it and click the Delete icon. A dialog pops up to confirm the deletion. Select Ok to remove the entry or Cancel to cancel and keep the entry.
- You can also duplicate an existing entry by right-clicking it and selecting Duplicate... from the pop-up menu.
|Label||No validation necessary as the label is purely informative|
A validation failure is indicated with a dialog box indicating the problem. The entry can only be saved if validation is successful.
The configuration entries are mapped to <securityZone> elements in the instance configuration file as follows:
An entry is created as a <subNetwork> element inside an <securityZone> element as follows:
|Name||@name attribute of the <subNetwork> element|
|Label||@label attribute of the <subNetwork> element|
|Mask||@mask attribute of the <subNetwork> element|
The @proxyMask attribute of the <subNetwork> element is globally defined and cannot be edited for individual entries. See the section Configuring the @proxyMask below.
All security zones entries entered in this user interface are stored in the database only and require an explicit process for them to become active:
- When the instance restarts the startup script forces the transfer of the configuration entries stored in the database into the instance's configuration file. Generally, an instance restart is forced daily.
- To immediately test your configurations click the Transfer Security Zones button to show this dialog:
Upon clicking the Ok button, the entries from the database are transferred into the instance's configuration file. By default, this configuration is not reloaded on your instance. To have it reloaded and thus activated immediately check the Check to reload configuration after transfer box.
If instance is composed of multiple containers, other containers update within 30mn.
The @proxyMask for the <subNetwork> element is global configured with the adbSecurityZonesProxy option.