Recommended aXes Security Implementations

Arterial Software recommends that when deploying aXes across an insecure network such as the Internet, all communication between a Web browser and aXes be performed using Secure Sockets Layer protocol. Using SSL ensures that all data including user IDs and passwords are strongly encrypted and thus protected from casual interception.

aXes can be implemented in a number of configurations thus providing simple installation and management at the low-end while allowing scability and performance at the high-end. Arterial Software suggests one of the following scenarios.

This straightforward solution has the aXesTS Terminal Server and the Web Server running on the same host with all traffic between the host and the client secured using the Secure Sockets Layer protocol.

An existing or new SSL certificate provided by a trusted certificate provider such as VeriSign is installed on the iSeries (AS/400) host. The certificate is loaded in the default certificate store and associated with the web serving application - in this case aXesW3, but as previously documented, any web server that supports FastCGI and SSL protocols can be used.

The aXesW3 web server, unlike other iSeries web servers, compresses the data before the SSL encryption and decryption takes place meaning less data needs to be processed, resulting in higher SSL throughput and less CPU usage.

This environment is ideal for companies that have no existing web serving platform and wish to provide web access to existing iSeries applications, or are consolidating a large server farm or distributed iSeries (AS/400) network to a single iSeries host system.

This scenario involves running the aXesTS terminal server on the iSeries (AS/400) host and using a second host (iSeries, Unix or Windows) to provide the web serving component and SSL functionality.

The key feature in this example is the scalability and flexibility of aXes to run in an existing multi-server environment. The aXesTS terminal server is running the user’s session on the iSeries host, providing the XML conversion and communicating with the web server via the FastCGI protocol over TCP/IP. The existing Web Server architecture is being used to serve the application to the browser and provide the SSL support. Please note that both Servers are behind the firewall router.

This scenario involves running the aXesTS terminal server on the iSeries (AS/400) host and using a second host (iSeries, Unix or Windows) running in a Demilitarized Zone (DMZ) outside the firewall, to provide the web serving component and SSL support.